From 0549ddb90f1553553dcb1b348e2884076e7cba3e Mon Sep 17 00:00:00 2001 From: "Kirill A. Shutemov" Date: Mon, 9 Mar 2015 23:11:12 +0200 Subject: UPSTREAM: pagemap: do not leak physical addresses to non-privileged userspace (cherry pick from commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce) As pointed by recent post[1] on exploiting DRAM physical imperfection, /proc/PID/pagemap exposes sensitive information which can be used to do attacks. This disallows anybody without CAP_SYS_ADMIN to read the pagemap. [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [ Eventually we might want to do anything more finegrained, but for now this is the simple model. - Linus ] Signed-off-by: Kirill A. Shutemov Acked-by: Konstantin Khlebnikov Acked-by: Andy Lutomirski Cc: Pavel Emelyanov Cc: Andrew Morton Cc: Mark Seaborn Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Bug: 25739721 Change-Id: I0b0cf101125b10a3316ef54959e24d7ca1d3a3c6 --- fs/proc/task_mmu.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index dcbe86f031eb..cd55bf71906d 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -1363,6 +1363,9 @@ out: static int pagemap_open(struct inode *inode, struct file *file) { + /* do not disclose physical addresses: attack vector */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about " "to stop being page-shift some time soon. See the " "linux/Documentation/vm/pagemap.txt for details.\n"); -- cgit v1.2.3 From a9ac1262ce80c287562e604f3bb24f232fcb686e Mon Sep 17 00:00:00 2001 From: John Stultz Date: Tue, 17 Nov 2015 08:35:54 -0800 Subject: ANDROID: exec_domains: Disable request_module() call for personalities With Android M, Android environments use a separate execution domain for 32bit processes. See: https://android-review.googlesource.com/#/c/122131/ This results in systems that use kernel modules to see selinux audit noise like: type=1400 audit(28.989:15): avc: denied { module_request } for pid=1622 comm="app_process32" kmod="personality-8" scontext=u:r:zygote:s0 tcontext=u:r:kernel:s0 tclass=system While using kernel modules is unadvised, some systems do require them. Thus to avoid developers adding sepolicy exceptions to allow for request_module calls, this patch disables the logic which tries to call request_module for the 32bit personality (ie: personality-8), which doesn't actually exist. Change-Id: I6885347e69d5778e69ad5312f56f389be7bb4883 Signed-off-by: John Stultz --- kernel/exec_domain.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c index 83d4382f5699..e0a3c71f2734 100644 --- a/kernel/exec_domain.c +++ b/kernel/exec_domain.c @@ -68,7 +68,14 @@ lookup_exec_domain(unsigned int personality) goto out; } -#ifdef CONFIG_MODULES +/* + * Disable the request_module here to avoid trying to + * load the personality-8 module, which doesn't exist, + * and results in selinux audit noise. + * Disabling this here avoids folks adding module_request + * to their sepolicy, which is maybe too generous + */ +#if 0 read_unlock(&exec_domains_lock); request_module("personality-%d", pers); read_lock(&exec_domains_lock); -- cgit v1.2.3